The IE Security Breach

MSIE3.02 is out - covering ALL the fixes plus more!(3/24/97)
Microsoft strongly encourages all Windows 95 and Windows NT 4.0 users to download Internet Explorer 3.02, which includes fixes to the security issues reported this month, plus an updated Internet Mail and News that makes sure people are warned before launching a program attached to an e-mail message. Internet Explorer 3.02 is a completely new version of the browser and includes fixes not provided in the "patch" fixes you may have already downloaded. This release also delivers new features known as Auto-Proxy and Auto-Configuration that network administrators and Internet service providers have asked for to help them deploy and maintain the browser for employees and customers.

Read below to find out why:

Internet Explorer contains a security hole which allows hackers to remotely execute any command or program in the user's PC by using a simple shortcut file embedded in a Web Page HTML code. This Security Breach was discovered by students from the Worcester Polytechnic Institute and a complete explanation together with examples were posted on their Web Site: http://www.cybersnot.com/iebug.html.

This security hole affects all users of Internet Explorer version 3.0 for Windows 95 and Windows NT. The problem is very serious because it bypasses all security features built into the software and allows any novice Webmaster to create a malicious hyperlink that can cause havoc in any surfer's hard disk. All the Webmaster must do is create a small shortcut file with the command they want to execute remotely on user's PC and hyperlink inside their HTML code. When a web surfer connects to such a hostile site and clicks on the hyperlink, this remote command is executed with full ability to delete, change or run any file on the user's hard disk.

Microsoft immediately developed and posted a fix - http://www.mic rosoft.com/ie/security/update.htm
Note: Revisit the MS Update site frequently - new patches are being posted regularly.

Some People Don't Like the Bug-Fix

Cybersnot responds:
We have recieved a number of messages from users who don't like the way the patched version of Internet Explorer handles .LNKs and .URLs. The issue they bring up is that Internet Explorer will still execute .LNKs and .URLs that are downloaded from a website if the user chooses "Open It" from the dialog box IE displays. We feel that this is the appropriate action for .LNK and .URL files because it matches what happens when a user trys to download an executable (.EXE or .COM) or any other unknown file type. The issue with the .LNK and .URL bug was not IE's ability to run the files, but rather the fact that it didn't bother to warn users and give them a chance to abort.

If that isn't enough for you:

EliaShim jumps in with a Draconian Fix - http://www.elias him.com/presrel/pr030497.html - to provide a full FREE solution that can be downloaded by all IE users. IE-SAFE - http://www.eliashim.com/iesafe / - is a small utility program that checks all references to shortcut files and disables IE from executing them. IE-SAFE is based on the unique technology developed by EliaShim programmers and is used in the ViruSafe-WEB Anti-Virus Plug-in product. IE-SAFE is a transparent and easy to install solution that safeguards IE users from any potential danger by checking each and every shortcut file in the system, allowing execution only for local shortcuts (from user's PC) and stopping all shortcuts initiated from a remote Web site.